Communication between on-premise and off-premise platforms is required in a Software as a Service (SaaS) environment. SaaS is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted by an off-premise platform (such as a shared computing resource or a cloud computing resource accessible via the Internet for example). SaaS is typically accessed by users of an on-premise platform (for example, using a thin client via a web browser).
On-premise platforms are well-established and considered to provide a good level of security because data is stored and handled internally, e.g., within an internal private network.
Off-premise platforms (such as cloud computing resources) are a relatively recent and evolving concept. Generally, reference to off-premise resources or platforms is taken to refer to a concept for enabling ubiquitous, convenient, and on-demand access via Internet to shared pools of configurable off-premise (e.g. remotely located) computing resources such as networks, servers, storages, applications, functionalities, and the like which are accessible via the Internet. Conversely, reference to on-premise resources or platforms is taken to refer to a concept of local or private computing resources such as networks, servers, storage devices, application, etc. that are situated locally or within/behind a virtual boundary (often behind a firewall).
Due to the required communication between on-premise and off-premise platforms in a SaaS environment, data flows in a SaaS environment frequently need to integrate with systems of record within a datacenter behind a firewall. Typically, this is done either by using Virtual Private Network (VPN) technology, or by setting up a mutually authenticated Transport Layer Security (TLS) connection mapping the ports between the off-premise system (e.g. cloud-based service) and on-premise system (e.g. internal private network) in order to access the systems of record directly. These often lead to an excessive amount of network traffic and latency caused by the off-premise system making many calls to the on-premise system during the course of a single transaction.
Secure gateways exist that allow ports in the SaaS system to be mapped to on-premise ports, thereby allowing systems of record to be directly available to the SaaS. They are typically implemented as a mutually authenticated TLS connection, wherein the initial connection is made by an on-premise client program connecting out through a firewall to an off-premise server process running in the SaaS environment. This allows a connection to be established without having to explicitly open ports in the firewall. Port mapping software is then used to re-direct requests to systems of record from the SaaS back to the on-premise systems where the data is stored.
However, the drawback of this known approach is that the software running in the SaaS environment might make many calls to the on-premise systems of record, leading to excessively large amounts of data transfer in order to achieve the required tasks. This causes significant associated I/O performance bottlenecks. There are also security concerns with this approach because the software running in the SaaS environment has to have access to the security credentials in order to connect to the on-premise systems of record.